Two suggestions.
1) If the domain clients are Windows 7 (or Vista), you can use Group Policy to deny permissions to the guest SSID; easy to implement.
2) You can enforce machine authentication on your dot1x authentication profile for your employee network. When you do this, the controller caches the mac of the successful clients (those that pass machine authentication to Radius) to the internal database (this time is configurable on the dot1x auth profile). You can then setup a MAC authention profile on the guest network, however in this case you'd use a "success" (meaning it is found), to put it in a deny role, or better yet a role that redirects the client to a captive portal page with instructions, etc.
I have customers doing both of these above with fairly good success. The caveat to #2 is dealing with machine authentication on your enterprise SSID and non-domain machines. To work around this, the mac of these devices needs to be added manually to the internal database.